-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 21 Jan 2008, Mihai Voica wrote:
> Sorry pt wrap dar am dat paste. Imi poate da cineva o ideea de unde e > chestia asta si cum o pot remedia fara reinstall ? Serverul a fost > instalat de altcineva, teoretic doar httpd e serviciu public, se pare > ca pe acolo e o buba. Distro centOS 4.6 > > [EMAIL PROTECTED] netstat -anput > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp 0 0 0.0.0.0:21 0.0.0.0:* > LISTEN 11437/vsftpd > tcp 0 0 127.0.0.1:25 0.0.0.0:* > LISTEN 11453/sendmail: acc > tcp 0 0 192.168.100.10:55031 69.42.218.68:6667 > ESTABLISHED 5763/ssh > tcp 0 0 192.168.100.10:39788 69.42.218.68:6667 > ESTABLISHED 5660/ssh > tcp 0 0 :::80 :::* > LISTEN 5660/ssh > tcp 0 0 :::22 > > (vezi ssh pe port 80 si conexiunile established) > > [EMAIL PROTECTED] ps aux > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 1 0.0 0.0 1692 612 ? Ss Jan18 0:00 init [3] > apache 5656 0.0 0.0 0 0 ? Z 03:43 0:00 [sh] <defunct> > apache 5660 99.9 0.1 4948 3012 ? R 03:43 431:51 ssh > apache 5759 0.0 0.0 0 0 ? Z 03:51 0:00 [sh] <defunct> > apache 5763 99.9 0.1 4944 3008 ? R 03:51 423:32 ssh > root 11415 0.0 0.0 1596 544 ? Ss Jan18 0:00 syslogd -m 0 > root 11425 0.0 0.0 4064 1140 ? Ss Jan18 0:00 /usr/sbin/sshd > root 11437 0.0 0.0 3780 1012 ? S Jan18 0:00 > /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf > root 11453 0.0 0.0 7340 1824 ? Ss Jan18 0:00 sendmail: > accepting connections > smmsp 11462 0.0 0.0 6488 1636 ? Ss Jan18 0:00 sendmail: > Queue [EMAIL PROTECTED]:00:00 for /var/spool/clientmqueue > root 11480 0.0 0.3 19748 6372 ? Ss Jan18 0:00 /usr/sbin/httpd > apache 11487 0.0 0.2 19888 4940 ? S Jan18 0:00 /usr/sbin/httpd > apache 11488 0.0 0.2 19992 5324 ? S Jan18 0:00 /usr/sbin/httpd > apache 11489 0.0 0.2 19996 5180 ? S Jan18 0:00 /usr/sbin/httpd > apache 11490 0.0 0.2 19888 4940 ? S Jan18 0:00 /usr/sbin/httpd > apache 11491 0.0 0.2 19868 4632 ? S Jan18 0:00 /usr/sbin/httpd > apache 11492 0.0 0.2 19864 4996 ? S Jan18 0:00 /usr/sbin/httpd > apache 11493 0.0 0.2 20000 5284 ? S Jan18 0:00 /usr/sbin/httpd > apache 11494 0.0 0.2 19888 4624 ? S Jan18 0:00 /usr/sbin/httpd > apache 22409 0.0 0.1 19748 3712 ? S 10:20 0:00 /usr/sbin/httpd > root 23993 0.0 0.0 1856 308 ? Ss 10:26 0:00 vzctl: pts/0 > root 23994 0.0 0.0 2216 1276 pts/0 Ss 10:26 0:00 -bash > root 25831 0.0 0.0 2372 756 pts/0 R+ 10:55 0:00 ps aux > apache 30358 0.0 0.2 19888 4612 ? S 01:05 0:00 /usr/sbin/httpd > > > (vezi cele 2 procese de 99%) > > > [EMAIL PROTECTED] top -b -n1 > top - 11:03:12 up 15:50, 0 users, load average: 2.00, 2.00, 2.00 > Tasks: 24 total, 3 running, 19 sleeping, 0 stopped, 2 zombie > Cpu(s): 10.9% us, 1.5% sy, 0.0% ni, 87.6% id, 0.1% wa, 0.0% hi, 0.0% si > Mem: 2067756k total, 2007924k used, 59832k free, 211024k buffers > Swap: 2031608k total, 72k used, 2031536k free, 825952k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 5660 apache 25 0 4948 3012 1244 R 99.6 0.1 439:43.42 perl > 5763 apache 25 0 4944 3008 1248 R 97.6 0.1 431:24.66 perl > 1 root 15 0 1692 612 528 S 0.0 0.0 0:00.10 init > 5656 apache 16 0 0 0 0 Z 0.0 0.0 0:00.00 sh <defunct> > 5759 apache 16 0 0 0 0 Z 0.0 0.0 0:00.00 sh <defunct> > 11415 root 23 0 1596 544 456 S 0.0 0.0 0:00.02 syslogd > 11425 root 20 0 4064 1140 836 S 0.0 0.1 0:00.06 sshd > 11437 root 18 0 3780 1012 772 S 0.0 0.0 0:00.00 vsftpd > 11453 root 18 0 7340 1824 864 S 0.0 0.1 0:00.01 sendmail > 11462 smmsp 15 0 6488 1636 820 S 0.0 0.1 0:00.00 sendmail > 11480 root 18 0 19748 6372 3960 S 0.0 0.3 0:00.07 httpd > 11487 apache 15 0 19888 4940 2352 S 0.0 0.2 0:00.15 httpd > 11488 apache 15 0 19992 5324 2676 S 0.0 0.3 0:00.13 httpd > 11489 apache 15 0 19996 5180 2544 S 0.0 0.3 0:00.10 httpd > 11490 apache 15 0 19888 4940 2352 S 0.0 0.2 0:00.11 httpd > 11491 apache 18 0 19868 4632 2040 S 0.0 0.2 0:00.11 httpd > 11492 apache 18 0 19864 4996 2384 S 0.0 0.2 0:00.14 httpd > 11493 apache 15 0 20000 5284 2624 S 0.0 0.3 0:00.14 httpd > 11494 apache 18 0 19888 4624 2056 S 0.0 0.2 0:00.12 httpd > 22409 apache 19 0 19748 3712 1260 S 0.0 0.2 0:00.00 httpd > 23993 root 15 0 1856 308 208 S 0.0 0.0 0:00.19 vzctl > 23994 root 16 0 2216 1276 1052 S 0.0 0.1 0:00.12 bash > 26044 root 15 0 1944 856 684 R 0.0 0.0 0:00.00 top > 30358 apache 16 0 19888 4612 2036 S 0.0 0.2 0:00.02 httpd > > (vezi primele 2 procese) > > > Am incercat tot ce am putut fara reinstall (updates, audit), dar > serverul web trebuia sa fie rapid up asa ca i-am dat drumul din nou > urmand sa fac investigatii a doua zi > > A doua zi ... din nou: > > [EMAIL PROTECTED] ~]# netstat -anput > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp 0 0 0.0.0.0:21 0.0.0.0:* > LISTEN 11418/vsftpd > tcp 0 0 127.0.0.1:25 0.0.0.0:* > LISTEN 11434/sendmail: acc > tcp 0 0 192.168.100.10:43745 64.89.27.36:36969 > ESTABLISHED 23626/httpsd -i eth > tcp 0 0 :::80 :::* > LISTEN 11454/httpd > tcp 0 0 ::ffff:192.168.100.10:80 ::ffff:192.168.100.5:48596 > TIME_WAIT - > > (vezi httpsd ) > > [EMAIL PROTECTED] ~]# ps aux > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 1 0.0 0.3 1704 608 ? Ss Jan19 0:00 init [3] > root 11408 0.0 0.2 1608 528 ? Ss Jan19 0:00 syslogd -m 0 > root 11418 0.0 0.5 3812 1000 ? S Jan19 0:00 > /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf > root 11434 0.0 0.9 7380 1844 ? Ss Jan19 0:00 sendmail: > accepting connections > smmsp 11443 0.0 0.8 6528 1644 ? Ss Jan19 0:00 sendmail: > Queue [EMAIL PROTECTED]:00:00 for /var/spool/clientmqueue > root 11454 0.0 3.2 19688 6328 ? Ss Jan19 0:00 /usr/sbin/httpd > root 11463 0.0 0.4 2492 904 ? Ss Jan19 0:00 crond > apache 23626 99.9 1.2 5220 2520 ? R 10:04 15:00 > /usr/sbin/httpsd -i eth0 > apache 23640 0.0 2.2 19784 4412 ? S 10:04 0:00 /usr/sbin/httpd > apache 23641 0.0 2.3 19820 4592 ? S 10:04 0:00 /usr/sbin/httpd > apache 23642 0.0 2.2 19784 4404 ? S 10:04 0:00 /usr/sbin/httpd > apache 23645 0.0 2.2 19784 4384 ? S 10:04 0:00 /usr/sbin/httpd > apache 23646 0.0 2.2 19784 4396 ? S 10:04 0:00 /usr/sbin/httpd > apache 23647 0.0 2.2 19792 4404 ? S 10:04 0:00 /usr/sbin/httpd > apache 23648 0.0 2.2 19784 4384 ? S 10:04 0:00 /usr/sbin/httpd > root 24563 0.0 0.2 1852 424 ? Ss 10:11 0:00 vzctl: pts/0 > root 24564 0.0 0.6 2228 1292 pts/0 Ss 10:11 0:00 -bash > root 26192 0.0 0.3 2388 776 pts/0 R+ 10:19 0:00 ps aux > > ( nu exista fisierul /usr/sbin/httpsd ) > > [EMAIL PROTECTED] ~]# top -b -n1 > top - 10:20:39 up 1 day, 20:22, 0 users, load average: 1.00, 1.00, 1.04 > Tasks: 18 total, 2 running, 16 sleeping, 0 stopped, 0 zombie > Cpu(s): 4.2% us, 0.7% sy, 0.0% ni, 95.1% id, 0.0% wa, 0.0% hi, 0.0% si > Mem: 196608k total, 37300k used, 159308k free, 0k buffers > Swap: 0k total, 0k used, 0k free, 0k cached > > PID USER PR NI %CPU TIME+ %MEM VIRT RES SHR S COMMAND > 23626 apache 25 0 100 16:04.06 1.3 5220 2520 576 R perl > 1 root 18 0 0 0:00.05 0.3 1704 608 524 S init > 11408 root 15 0 0 0:00.01 0.3 1608 528 440 S syslogd > 11418 root 18 0 0 0:00.00 0.5 3812 1000 772 S vsftpd > 11434 root 18 0 0 0:00.04 0.9 7380 1844 872 S sendmail > 11443 smmsp 18 0 0 0:00.01 0.8 6528 1644 828 S sendmail > 11454 root 18 0 0 0:00.22 3.2 19688 6328 3928 S httpd > 11463 root 23 0 0 0:00.00 0.5 2492 904 524 S crond > 23640 apache 18 0 0 0:00.00 2.2 19784 4412 1900 S httpd > 23641 apache 19 0 0 0:00.00 2.3 19820 4592 2036 S httpd > 23642 apache 18 0 0 0:00.00 2.2 19784 4404 1884 S httpd > 23645 apache 19 0 0 0:00.00 2.2 19784 4384 1872 S httpd > 23646 apache 15 0 0 0:00.00 2.2 19784 4396 1872 S httpd > 23647 apache 18 0 0 0:00.02 2.2 19792 4404 1892 S httpd > 23648 apache 15 0 0 0:00.00 2.2 19784 4384 1872 S httpd > 24563 root 15 0 0 0:00.01 0.2 1852 424 316 S vzctl > 24564 root 15 0 0 0:00.04 0.7 2228 1292 1068 S bash > 26292 root 15 0 0 0:00.00 0.4 1960 868 696 R top > > Cunoaste cineva cum s-a putut face asta si cum remediez ? > Multumesc anticipat. Am vazut acum vre-un an si ceva asa ceva la o cunsotinta. Script ce folosea passthru si facea upload in /dev/shm la un alt script pe care il executa. Daca nu ai nevoie de php da-l jos. Daca ai totusi nevoie pune-l in safe mod. Si musai adauga in php.ini ceva de genul disable_functions = "dbmopen, dbase_open, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo, putenv, move_uploaded_file, exec, system, passthru, popen, mkdir, rmdir, rename, unlink, copy, chgrp, chown, chmod, touch, symlink, link, getallheaders, highlight_file, show_source, parse_ini_file" etc. Nu stiu daca la tine poti sa le scoti pe toate dar macar exec, system si passthru ai putea sa le pui. Uita-te prin /dev/shm si probabil ca o sa fi surprins. Sau /tmp, /var/tmp Gabriel - -- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFHlMTzeWrbH+aEIG4RAvH4AJ4meK5ehOxX6kXUUJkzSTXtuBth7gCeLIlU yD7/6o5p5rEiFaSStWtLMUU= =bxL2 -----END PGP SIGNATURE----- _______________________________________________ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug